DDoS attack: What you need to know

DDoS: What is it?

University network services were rendered unusable for the third time this semester on Monday morning when they were disrupted by a Distributed Denial of Service attack.

A Denial of Service (DoS) attack occurs when a single machine sends multiple requests to a target, with the aim of sending more than the target can handle, according to Incapsula’s website. A Distributed Denial of Service (DDoS) attack differs in that multiple machines, up to thousands, flood a target.

A DDoS is much harder to defend against, and depending on how many machines are attacking, can sometimes be unavoidable.

If a person is a server, then a ‘hack,’ or breach, would be an attacker quietly trying to steal their wallet. A DoS is analogous to the attacker tackling the victim and silencing him. A DDoS would be 30,000 different people all tackling the victim at the same time.

Rutgers employs DDoS mitigation services to help reduce the damage during an attack. Mitigation software is designed to automatically block attacking machines by determining where the attacks are coming from. While this can be more straightforward for a DoS attack, it is much more difficult with a DDoS.

Using the previous analogy, this is akin to putting the person in a room with automatic doors. If too many people start coming through one doorway, that door will close.

Before employing this third party tool, members of the Office of Information Technology, the Telecommunications Division’s Network Operations Center and other network administrators at the University would have to manually perform these tasks. This is no longer done locally.

The University notably uses Incapsula to protect its networks. This mitigation service minimizes the damage to the University networks when it works properly.

According to an email sent by Don Smith, Vice President and Chief Intelligence Officer for the OIT, the University has employed these services in conjunction with hardware upgrades to better protect the University’s servers.

Rutgers is also cooperating with the Rutgers University Police Department, the Federal Bureau of Investigation and the Office of Homeland Security and Preparedness to investigate the attacks that have occurred this year, according to the email.

University servers have been taken down four separate times this year. Two of these times have coincided with web registration for the next semester, and one occurred during midterm examinations.

According to an alleged attacker, the latest attack ended on Monday. The continuing troubles are a result of their overwhelming Incapsula as well as the University network, they said.

Whither art thou Internet?

Scenario 1

It is possible that exploiting vulnerabilities in the patches bought to protect the University would compound issues with service, resulting in the sporadic availability of Internet access in general and to certain sites within the Rutgers network.

These vulnerabilities, if they exist, may be caused by implementing the mitigation services too quickly in an attempt to prevent another attack.

Since the software works by restricting access to University networks, forcing it to go “haywire” and overdo its job is a possibility. This is something the OIT would have no control over.

Scenario 2

Smith’s email said the University has been hit by a continuous stream of attacks that were still ongoing as of 5:00 p.m. on Thursday night. Consistent attacks can also disrupt service, leading to the same issues seen throughout the course of this week.

Scenario 3

The disruptions may also be caused by a third party attacker who is unrelated to the previous disruptions.

These possibilities have not been confirmed by the OIT.

Scenario 4

Another rumored possibility is that the attacker ‘poisoned’ some Domain Name Systems within the Rutgers networks. A DNS is created to ensure users trying to access a website get to the right site — like a traffic cop directing cars to the right direction.

Because of how DNS services work, it is not likely that this has any impact on available services.

Will this happen again?

Incapsula is most likely halting other DDoS attacks against the University, allowing the OIT and other University groups to improve the hardware and software on-site. The process of upgrading hardware may also cause some of the disruptions seen.

"Cooperative Mechanism Against DDoS Attacks," a paper written in part by Manish Parashar, a professor in the Department of Computer Science, said DDoS attacks have been on the rise since 2005 and that detecting or mitigating them was difficult.

“DDoS attack is likely to become an increasing threat to the internet due to the easy availability of user-friendly attack tools,” the paper said. “Even an unsophisticated individual can launch a devastating attack with the help of these tools.”

Given the ferocity of the attacks, the perpetrator is likely very proficient at disrupting servers.

A report by neustar.biz showed significant increases in the number of DDoS attacks to a small group of businesses between 2012 and 2013. These attacks were also more damaging in the second year.

While attacks can be mitigated, outright blocking them is nearly impossible without stopping every individual attacking computer. The more computers that are used, the more difficult it becomes to stop an attack.

Editor's Note: Some of the information remains unconfirmed from official sources. Portions of this article stem from speculation from the author and network administrators.